Introduction:
Accidental user account deletion happens, even to the best system administrators. At that moment, a wave of panic might wash over you, especially if you delete a VIP account!
But don’t panic—take a deep breath. In this article, I will show you how to restore a deleted user account even if you don’t have an active Directory backup, which is not a good habit to maintain.
But before we dig in, let’s explain what happens when you delete an Active Directory object.
When you delete an Active Directory object (user, computer or a group) this one is not permanently deleted but marked by the operating system as deleted. The OS will assign the value True to the object attribute “isDeleted”. By doing so Windows allows the object recovery without restoring from a backup.
Int this article we will discuss several ways to recover a deleted user account, based on different scenarios.
Recover a deleted user account from the Recycle Bin:
Active Directory Recycle Bin allows you to preserve and recover accidentally deleted Active Directory objects. Note that recycle bin is not enabled by default; you have to enable it manually.
If the recycle bin is enabled, it will receive the deleted user object. The recycle bin will preserve all deleted objects for 180 days.
Check this article for more info on how to enable the recycle bin.
Recover a deleted user account using a system state backup:
If you have a recent system state backup, you can use it to recover the deleted user account. For more information on how to perform a system state backup, check this documentation.
The steps:
- To perform a system state recovery, you must restart the domain controller you want to recover into the DSRM mode (Directory State Recovery Mode). And for that, you need the DSRM administrator password. This is the Administrator password Windows asked you to enter when you installed the AD DS role to promote the server to a domain controller.
If you don’t remember this password, you can reset it using the following command:
ntdsutil
set dsrm password
reset password on server null
2. To restart into DSRM mode, type msconfig in the search bar, then navigate to Boot > Safe boot > Active Directory repair. Click OK, and restart the server
3. Once the server restarts into DSRM mode, you must restore the system state from the most recent backup.
Open a command prompt and type the following command to display the latest backup version:
wbadmin get versions
4. Pick up the backup version you want to restore and use it in the following command:
wbadmin start systemstaterecovery -version:{backup-version} -quiet
5. Once the system state recovery process is completed, you will be asked to restart the system to complete the operation. Answer YES.
6. After the system restarts, type the following NTDSUTIL commands to restore the user account “ceo” for example:
ntdsutil
ntdsutil
activate instance ntds
authoritative restore
restore object "CN=ceo,OU=CEO,DC=corp,DC=zinetek,DC=com"
NB: The authoritative restore will guarantee that the restored user account will not be marked with a tombstone after the domain controller syncs with its replication partners.
7. Once the user account is appropriately restored, restart the system in normal mode by unchecking the safe boot option in the “System Config” panel (See step 2), and you are all set.
Recover a deleted user account using the ADRestore tool:
If you don’t have a recent system state backup, don’t panic; there is a solution to recover your deleted user account.
As we said previously, when you delete an Active Directory object, this one is marked as deleted and will remain in the AD database until it reaches the tombstone lifetime, usually 180 days. This is a valid rule even if the Recycle bin is not enabled.
In this section, I will show you how to restore a deleted user using the ADRestore tool. ADRestore is part of the Sysinternals tools; you can download it for free from this link: https://learn.microsoft.com/en-us/sysinternals/downloads/adrestore
The steps:
- Run the ADRestore tool from a command line prompt to display the list of deleted objects.
In the above example, the “ceo” user account was deleted.
2. To recover the ceo user account, type: adrestore -r ceo
3. Unlike recovery methods involving the recycle bin or system state recovery, which restore the account with all its attributes, such as the password and group memberships, you must manually reset the user’s password and re-add them to their original groups.
Best practices:
- Keep taking system state backups at regular intervals. While the AD Recycle Bin facilitates quick and easy object restoration, it does not assist with restoring deleted content from SYSVOL.
- Check the “Protect from accidental deletion” option in the AD object properties.
- Turn on DS change auditing for deletions. After the objects are back, your management will want to know, “What happened?” Make sure you have an answer.
- Test and practice: Don’t wait for a disaster to test your backup or restore technique. Recovering deleted AD objects should be routine.
Conclusion:
Accidental deletion of user accounts in Active Directory can be a daunting experience, but recovery is often achievable with the proper knowledge and tools. Whether utilizing the Active Directory Recycle Bin to restore objects within 180 days or leveraging system state backups and third-party tools like ADRestore, multiple paths exist to regain access to lost accounts.
Adopting best practices for Active Directory management, including regular backups and enabling change auditing, is crucial to safeguarding against future mishaps.
By staying proactive and informed, system administrators can confidently navigate the complexities of account recovery, ensuring minimal disruption in their organizational operations. Preparation and practice are key to effectively handling such situations, turning potential crises into manageable tasks.
I hope you found this blog helpful. Before you go, I’d like to ask if you’d consider supporting my work. Running this blog requires a lot of time and dedication, and with more people using ad blockers and AI tools, ad revenue has been declining. Your support would allow me to keep creating the content you enjoy. Thank you for considering it..
